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FOREWORD 


This report describes the rationale, mechanization, analysis, and testing of 
StabUitv 1 ^ r f Undanc y modification to a double fail -operational 

L Tf ; j° n y f em ' f 3 t3Sk in the ^-funded contract NAS2- 

L a ° r t^m ° n - \ llevUtln « qualities degradation for a 

i xed static stability airplane on a system level, and on Droeram 
modifications and revalidation on a software level. program 

im0l0m00t0d°f t ^% task was to ^^strate the potential benefits of software - 
implemented fault tolerance as applied to sensor hardware, and to investigate 

the overhead incurred in flight software and its airworthiness determination 
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1 . 0 INTRODUCTION 


An existing quadruplex digital flight control system (DFCS) was modified to 
incorporate analytical sensor redundancy for improved sensor hardware fault 
tolerance. Basically, this is a tradeoff of software functionality/overhead 
tor a reduction in system components. Such a tradeoff may be justified in 
the case of a stability augmentation system (SAS) for a relaxed static 
stability (RSS) airplane. If the SAS function is critical, associated 
protective redundancy requires substantial sensor redundancy. In the case of 
air data and inertial sensors, a useful degree of redundancy can be obtained 
through an observer algorithm (Reference 2), rather than through further 
replication of components. 


Basically an observer relies on knowledge of the airplane's dynamic behavior 
and the fiight control effector inputs, together with sensor signals as 
available, to mathematically reconstruct unmeasured or questionable sensor 
states Such concepts call for new sensor voting schemes and reconfiguration 
logic, but the computational requirements are not very demanding Perhaps 
the biggest problem for practical utility is that of ensuring that the 
observer always captures a workable representation of the airplane dynamics 
for otherwise the estimated states will be skewed. In an actual DFCS, some 
degree of inaccuracy is permissible in the form of tolerances in the fault 
decision logic. Note also that additional software overhead required to 
periodically update the software model of the airplane dynamics 


Since here the example application of analytical sensor redundancy was 
retrofitted to an existing system, software modifications were designed to 
minimize the architectural/revalidation impact. This effort focused largely 
on the definition and control of interfaces of DFCS program units, and on a 
clear delineation and discernment of the functionality contained within the 
respective units. 


1.1 Executive Summary 

For an augmented fly-by-wire (AFBW) system, there is no way to predict or 
estimate what the pilots' input command transducers will or should be but 
the sensors of the airframe dynamics are rather accurately anticipatable 
through workable knowledge of the airplane dynamics. The latter can 
therefore be captured in a mathematical model called an observer system 
(References 2 and 3), which is implemented in the DFCS computers to execute 
in real-time in parallel with the actual airplane motion. Such a model is 
depicted in Figure 1, where flight hardware sensor measurements are 
llltlt * C ° mpared With observer Projections of the appropriate sensor 


Analytical redundancy fault detection is achieved in a manner as shown in 
Figure 2 One or more of a given type airplane sensor is applied to a voter 
type fault detection logic along with the associated observer output 
estimate. The observer signal is then used in determining a faulted sensor 
under the assumption that only a single fault event occurs. Conventional 
hardware sensor voting is normally employed until only two remaining sensors 
disagree. The observer therefore constitutes a tie-breaker in the event that 
two remaining sensors of a given type disagree. In a conventional DFCS both 
would be discarded as untrustworthy. 
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Figure 1. Analytical Redundancy Concept 
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Figure 2. Analytical Sensor Fault Detection 





In the case of a previously implemented DFCS at NASA Ames' Reconf igurable 
Digital Flight Control System (RDFCS) simulator (see Reference 1), the SAS 
function for an RSS airplane was crucially dependent on angle-of -attack (AOA) 
feedback to preclude a rapid pitch-axis divergence. Pitch rate was used for 
improved short -period flying qualities, but this was not critical to safe 
flight. Here the DFCS software was modified to incorporate an analytical 
redundancy function, and the resultant sensor fault tolerance was assessed 
from a reliability standpoint and demonstrated from a system failure effects 
standpoint. In both cases, general effectiveness was evident. 

Clearly, analytical sensor redundancy can improve system reliability under 
given conditions, but the definitive issue is really life cycle costs. Do 
the economies of reducing line replaceable units (LRUs) on an aircraft 
warrant the additional software complexity and overhead? In the event they 
do, airworthiness concerns evoked by the expanded software c mplexity and the 
additional reliability assessments must be addressed. Such concerns are 
explicitly treated in the remainder of this report. 

Much of the software design and implementation work under the sponsoring 
contract has been accomplished using the programming language Ada. Although 
originally oriented toward U.S. Department of Defense applications, Ada is 
now envisioned as a civil aviation standard language under ARINC auspices. 
This direction is in accord with the experience of the subject work in that 
the options and impact of Ada software modifications are clarified and well 
controlled through the use of Ada-based design. Although the RDFCS simulator 
necessitated the use of the AED (Algol Extended for Design) language for 
software implementation, Ada was still used for the associated design. 
Resultantly , Ada was supportive of the software redesign and revalidation 
test case definition. 

As a by-product of the observer implementation, the basic algorithm was shown 
to be very effective in filtering wind gust components from the angle -of - 
attack (AOA) sensor signals. In cases where the gust component is not 
desired, the observer can effectively remove sensor noise which cannot be 
accomplished through linear filtering without significant loss of signal 
content. The instance of AOA- or airspeed-based autothrottles is an apt 
example. Here, the gust components tend to result in spurious and 
disconcerting throttle activity, which can be essentially eliminated by an 
observer. For ride quality improvement, however, atmospheric sensor noise 
would be valid signal content, for the DFCS would attempt to suppress the 
associated airplane motion. 

1.2 Assessment Problem 

Three main assessment tasks were undertaken: analytical redundancy design 
analysis, system reliability assessment, and test evaluation of the modified 
system mechanization. The design analysis was performed via Ada program unit 
examination, the reliability assessment using a substantially revised version 
of CARSRA (Computer-Aided Redundant System Reliability Analysis program 
(Reference 4), and the testing via non-realtime simulation. Real-time RDFCS 
simulator testing was precluded by flight computer problems at the facility, 
which persisted until its de-commissioning. 



1.3 Relevance to Other Contractual Tasks 


Two other tasks under the FAA-sponsored contract, NAS2-11853, were closely 
related. The aforementioned quadruplex DFCS tasks addressed a rather 
conventional double fail-operational DFCS for AFBW, so it reflected the 
customary hardware replication approach to hardware fault tolerance. An In- 
version flight software task (Reference 5) confronted the issue of the 
tolerance of software faults in a manner that complemented and extended the 
quadruplex design. This entailed appreciable software additions to the 
overall DFCS program, which constitute the cost of achieving another 
dimension of fault tolerance. 

Like N-version software, the present task involves software- implemented fault 
tolerance. But here the focus is on the tolerance of sensor hardware faults. 
The major unifying aspect of the three tasks is the context of the same basic 
quadruplex system architecture, as reflected in the same high-level software 
design. This is rendered and modified as appropriate in Ada and graphics - 
type representations. Here the actual implementation of the DFCS software 
for the non-realtime was done in Ada as well*. 

1.4 Conclusions and Recommendations 

The present example of analytical sensor redundancy was largely illustrative 
of the architectural and software aspects of realizing a practical DFCS 
application. Certain basic aspects, such as updating the observer system 
dynamics in accord with that of the airplane's, have not been addressed 
fully. Nonetheless, the viability of observer type algorithms has been 
indicated in some meaningful degree. In the absence of the originally 
intended DFCS system demonstration (because of the de-commissioning of the 
RDFCS facility), it is now possible to demonstrate the analytical sensor 
redundancy through non- realtime simulation. This could be instructive in a 
tutorial context, but the need and justification does not appear to exist 
For the present, it seems sufficient to discern the basic concepts through 
reports such as this one, and to defer further depth of inquiry until 
specifics a full-scale implementation arise. 
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c i» • P^uom^na^^^rif^^L ed ai I PU ^ s cL n “ 1C t S I" 6 *1?“^ 

observer dynamics are implemented in discrete time in ‘a DF^S TunT* ’ 
the representation in Figure 3. me in a DFCS, building upon 

2.1 Abbreviations 


AFBW 

Augmented Fly-by-Wire 

AOA 

Angle -of -Attack 

CG 

Center -of -Gravity 

DFCS 

Digital Flight Control System 

DOF 

Degrees of Freedom 

LRU 

Line Replaceable Unit 

RDFCS 

Reconf igurable Digital Flight Control System 

RSS 

Relaxed Static Stability 

SAS 

Stability Augmentation System 

WRT 

With Respect To 
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A — > 

(AIRFRAME) SYSTEM MATRIX 

B — > 

FORCING FUNCTION MATRIX 

C — > 

SENSOR MATRIX 

u — > 

INPUT VECTOR 

x — > 

AIRCRAFT STATE VECTOR 

1 — > 

MEASUREMENT VECTOR 


c 

H — > HORIZONTAL STABILIZER DISPLACEMENT (ABOUT 
TRIM) 

5 TH— > INCREMENTAL THRUST (ABOUT TRIM) 

U — > LONGITUDINAL-AXIS VELOCITY WITH RESPECT TO 
(WRT INCIDENT AIRSTREAM) 

W — > VERTICAL-AXIS VELOCITY (WRT INCIDENT 
(AIRSTREAM) 

q — > PITCH RATE 

Q — > PITCH ATTITUDE 

V T --> TRUE AIRSPEED 

a — > ANGLE-OF-ATTACK 

n 2 __> VERTICAL-AXIS LOAD FACTOR (PER NORMAL 
ACCELEROMETER) 


Figure 3. Airplane Dynamics Block Diagram (Sheet 2 of 2) 
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2.2 Managed Flying Qualities Degradation 


With the increasing prevalence of RSS airplanes, pitch-axis flying qualities 
have become a more compelling concern because of the accompanying reduction 
or loss of inherent airframe stability. As an airplane's CG moves aft, the 
capacity of its wing to generate a nose down moment in response to an 
increase in AOA diminishes. At the neutral point, no pitching moment change 
results from an AOA change. If the CG is moved still farther aft, an 
increase in AOA yields a destabilizing pitch-up moment. This condition, 
which is referred to as a negative longitudinal stability margin, produces an 
absolute pitch-axis divergence. If at all rapid, such a divergence renders 
the airplane difficult or impossible to fly. 

Consequently, a pitch stability augmentation system (SAS) function is 
normally added to the flight control system to restore airframe stability to 
adequate levels through active controls. Stability augmentation involves the 
feedback of inertial or air data sensor signals. This "inner loop" feedback 
improves the apparent stability of the airframe and provides acceptable 
flying qualities. A general pitch SAS mechanization is depicted in Figure 4, 
which is an expanded version of the pitch-axis state variable representation 
of the rigid-body equations of motion presented in Figure 3. The state 
variables are the elements of the vector x> and the sensor measurement 
variables are the elements of the vector y. In the latter case, true 
airspeed and AOA correspond to air data sensors, and pitch attitude, pitch 
rate, and incremental vertical acceleration constitute inertial sensors. The 
SAS feedback is routed through the gain matrix K. Intuitively, the poor 
flying qualities of the free, unaugmented RSS airplane that are inherent in 
the system matrix A, are offset by the augmentation provided by sensor 
feedback through K. 

Since the SAS function is often necessary for safe readily controllable 
flight, over all or most of the flight regime, its continued proper operation 
must be ensured through redundant system components. In a redundant SAS 
architecture, there are generally two or more pitch-axis sensor signals fed 
back for the SAS function, e.g., AOA, normal acceleration, and pitch rate. 
So long as two of a given type of sensor are operating in agreement, that 
signal is available for the SAS computation. The differing nature of the 
various types of signals means that they make different contributions to 
flying qualities. Hence, the failure effects for the total loss of a signal 
type vary as well, but in general each loss results in some degradation of 
SAS performance. The intent of managed degradation is to minimize the degree 
as well as the frequency of performance degradation. 

Analytical sensor redundancy supports a managed degradation strategy in that 
it permits at least one additional LRU failure of a given type before total 
loss of the corresponding signal. This can be accomplished through the use 
of the observer algorithm to determine which of two disagreeing sensors is 
discrepant. Then the operable sensor can be kept on line. Otherwise, the 
onset of flying qualities degradation, and perhaps loss of a critical 
function, would occur more often. Although analytical sensor redundancy is 
possible as a DFCS software add-on, the overall system architecture and the 
fault degradation profile need to be designed in a comprehensive manner. 
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Figure 4. Stability Augmentation System Block Diagram 




2.3 Sensor Fault Tolerance Concepts 

Sensor fault tolerance is the accommodation of hardware faults which is 
usually based on some type of comparator scheme. One typical example is 
provided by the companion investigation on N-version programming (Reference 
5). Here two to four sensors were voted using a low median select strategy 
wherein all presumably normal voter inputs were compared with the selected 
signal. Essentially the same scheme is depicted for triplex pitch rate gyro 
sensors in Figure 5. Due to admissible sensor variations, both time and 
amplitude thresholds are employed by the comparators to eliminate nuisance 
trips. As noted earlier, this scheme is unable to discriminate which of just 
two disagreeing sensors is correct, unless other information exists to 
support the decision. This might be provided by a sensor validity signal, 
which may not be available or dependable. 

More encompassing supplementary fault decision information can be furnished 
by analytical redundancy mechanisms, as previously reported in Reference 6. 
There are many possible variations, particularly with respect to fault 
decision logic. In Figure 2, a conventional comparator mechanization was 
modified to accept an analytically synthesized sensor signal into an 
associated software voter. The logic could be set up such that the 
synthesized signal would be invoked only when needed to discriminate a 
disagreeing pair of sensors. Note that the illustrative calculations in 
Section 4.0 indicate worthwhile improvements in system reliability where a 
triplex set of sensors is flight critical. 

2 . 4 Observer Theory 

The reconstruction of a non-measured signal can be achieved using Kalman 
filtering or an observer algorithm. The latter is simpler and quite 
satisfactory for airplane inertial and air data sensors. Observer algorithm 
theory per se was developed in References 1 and 2, based on a mathematical 
modeling characterization of the dynamic behavior of a deterministic physical 
system and its forcing functions. For an airplane, this relates to airplane 
motion in response to flight controller inputs, e.g., elevator surface 
displacement, as evident in measurements of dynamic states, e.g., pitch rate. 
Where a measured variable is not state variable, the associated 
transformation must exist and be known from measurements to all states. In 
particular, the states must be observable in a mathematical sense (e.g., see 
Reference 6), as is normally the case. 

The foregoing relationships are best indicated through visualizing the two 
separate systems shown in Figure 6. The rigid body airplane dynamics are the 
same as presented in Figures 3 and 4. The second system is the observer, 
described here as a system of first-order differential equations similar to 
those descriptive of the airplane dynamics. The observer system, however, 
exists only as corresponding difference equations in computer software. Note 
that its system matrix is D, and that it has two forcing functions, the 
sensor measurement vector y as well as the flight controller vector u. The 
matrices D, E, and F of the observer system are derived from the airplane's 
behavior as captured in matrices A, B, and C. Hence, the observer in general 
contains the essential information about the airplane's behavior to 
reconstruct unmeasurable states, e.g. , those whose sensors are inoperable. 
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Figure 5. Triple^ Sensor VoTefl Comparator 
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Figure 6. Multi-Level Testing Closure 



For the observer derivation shown in Figure 6, there is a one-to-one 
correspondence between airplane states x and observer states z Thus the 

enahr er ^ ^ be COnverted using the measurement ' matrix ’ C to 

Iht It 3 t cross-comparison with the various sensor signals. Ideally 

feedb h \ °* server system can Unction without the measurement vector v 
feedback but uncertainties regarding the actual airplane dynamics compromi s ; 

h a modeling approach. Sensor feedback driving the observer, therefore 
captures actual state coupling inherent in the actual airplane dynamics. 

Of course as the airplane traverses a given flight profile its dynamic 

matrices A l ’IS "I 1 ” ,™ S U ^ •!—£ of 

matrices A, B, and C. It is therefore necessary to update the observer 

system matrices, D, E, and F, over a corresponding sequence of airplane trim 

invalid ° r T he P ob atlng P ° lntS ' Otherwise, the sensor comparison becomes 

invalid. The observer system updating also involves discretization of the 
observer dynamics to permit digital computation. Normally, this is a 
background mode computation that entails non-negligible overhead 


2.5 Software Modifications and Revalidation 


Here the analytical redundancy was 
(Reference 1) , with the predominant 
The need then is to determine the 
turn, the focus of the revalidation 
testing, and hence, analytical test 
sensor failure effects testing is 


added to the existing quadruplex DFCS 
impact, affecting the flight software, 
scope of software modifications, and in 
effort. The latter calls for multilevel 
case definition. At the system level, 
o -- ostensibly the same as for strictlv 
replicated hardware redundancy. At the lower levels of testing, observations 
are directed toward confirming consistency with the verified system/software 
re-design. With properly selected test cases, such consistency assurances 
r ^ COn 5 LdenCe that the modified DFCS mechanization can cope 
testing Ct ° rily Wlth COnditl ° ns and in P uts not actually applied during 

Basically, exhaustive testing of software is not possible, even with 
automated testing, so the best use must be made of test time and resources 

Th n-f ^ ld *° n t6St ° aSe definition must emphasize new requirements 
modified interfaces, and new or altered software. It must confirm that the 

rules or assumptions used in reliability assessment are valid. For overall 
general confidence in the modified DFCS, some regression testing must be 
performed as well to ensure that unintended changes have not inadvertently 
occurred, especially those outside the defined scope of modifications. 

2.6 Testing Activities 

Figure 7 summarizes the types and orientations of testing activities that 
originate in various stages of software development. The development results 
associated with each of these ' stages contribute to the definition of the 
multilevel test cases as implemented functions (e.g., see Reference 7) 
These respective testing contributions can be related to the analytical 
sensor redundancy modifications to indicate the nature and scope of testing 
necessary All the levels of testing can to some extent be accomplished 
unng real-time system simulation, as is described here. But this assumes 
that extensive low- level software testing and flight software load module 
integration have already been accomplished. 
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AIRFRAME DYNAMICS 



Figure 7. Observer System Sensor Fault Detection (Sheet 1 of 2) 












D — > OBSERVER SYSTEM MATRIX 

E — > SENSOR FORCING FUNCTION MATRIX 

F — > FLIGHT CONTROLS FORCING FUNCTION 
MATRIX 

z — > OBSERVER STATE VECTOR 
OBSERVER SYSTEM FORM: z = Dz + Ey + Fu 

SUBSTITUTE OBSERVER ASSUMPTION: z = y ; z = £ 

— > y = Dy + Ey + Fu 

NEXT, SUBSTITUTING: y = Cx & y = Cx 

--> Cx = (D + E) Cx + Fu 

PRE-MULTIPLYING THE AIRFRAME DYNAMICS EQUATION BY C 
— > Cx = C Ax + CBu 

EQUATING THE COEFFICIENTS OF x and u IN THE LAST TWO 
EQUATIONS: " 

— > F = CB £ CA = (D + E)C 

NOTE THAT MATRICES A, B, AND C ARE KNOWN A PRIORI, 
AND HENCE MATRIX F CAN BE SOLVED FOR DIRECTLY. 
MATRICES D AND E ARE NOT DEFINED AT THIS POINT, BUT 
THERE IS ONLY ONE EQUATION FOR THESE TWO UNKNOWNS. 
HENCE, D IS SOMEWHAT ARBITRARILY SELECTED TO BE A 
DIACONAL MATRIX, AND IN TURN, E IS SELECTED TO BE A 
MATRIX WITH ALL MAIN DIAGONAL ELEMENTS SET TO ZERO. 


Figure 7. Observer System Sensor Fault Detection (Sheet 2 of 2) 
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The addition of analytical sensor redundancy to an existing DFCS would 
normally involve system specification changes, but in all likelihood the 
system requirements would not be changed. In turn, the system/software 
design and the software implementation would necessarily be modified. The 
software re-design would reflect structural program changes in the form of 
both added and modified software units, with accompanying interface changes. 
Although some source code changes would appear in the program structure, most 
would occur within the new or modified software units. Ada program unit 
specifications aid in highlighting the scope of such changes, and explicitly 
define the revised interfaces. 

Multilevel testing then would focus primarily on the changes purposefully 
introduced into the DFCS software. These would include performance, 
coverage, and correctness oriented test case definition strategies to examine 
the functional, structural, and causal aspects of the modified software. 
These aspects of testing are expanded in Table 1 relative to the analytical 
sensor redundancy modification. Obviously, considerable sensor fault cases 
are necessary to exercise both attendant logic and the control algorithms, 
regression testing would address other DFCS modes and functions outside the 
scope of the intended modifications, and would include for example some 
requirements oriented testing. The purpose would be to ensure that no side 
effects or inadvertent changes had been introduced. 
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TABLE 1 


MULTILEVEL TEST CASE EXAMPLES 


DEVELOPMENT 
STAGE LEVEL 

TESTING 

FOCUS 

TYPE OF 
TESTING 

DFCS FEATURES 
OF INTEREST 

TYPE OF 
OBSERVATIONS 

Requirements 

General Utility 

Regression 

System Operation 

Overall 

Acceptability 

Specification 

Explicit Design 
Requirements 

Faulted 

Performance 

Managed Flying 
Degradation 

Pitch SAS 
Performance 

Design 

Software Design 
Features 

Struct- :ral , 
Path & 
Interfaces 

Mode Switching, 
Status & Timing 

Path Traversal 
& Function 
Invocation 

Implementation 

Source Code 
Behavior 

Control & 

Logic 

Functions 

Control Laws, 
Deriving Observer 
6t DFCS Logic 

Logic, Count 
& Control 
Variables 
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3 . 0 OBJECTIVES 


s with the other tasks under the sponsoring contract, the general objective 
task 1 WaS /H ex Pl°re certain aspects of fault tolerant DFCSs that 
might be employed where the performance of critical functions must be ensured 
despite multiple faults. In particular, the emphasis here was on sensor 
faults for the pitch SAS function. The intent has been to illustrate the 

Sr Z ^ 0n ° f analyt ^ cal redundancy in extending sensor fault tolerance 
Additionally, issues of re-design and revalidation have been introduced 

configurator redundancy features wer « added to an existing DFCS 

3.1 Goal 

The goal of this task has been to motivate, illustrate, and critique a 
representative example of analytical sensor redundancy similar to that which 
might appear in a DFCS submitted for airworthiness certification It Is 
intended that certain pivotal issues and viable approaches to enhanced or 
more economical system reliability will thereby be exemplified More 

hnlef n ^ u mecha " ics and efficacy of observer algorithms will 
hopefully be shown to be plausible and a worthwhile usage of digital 
processing capacity. 6 6 ai 

3.2 Task Objectives 

The specific objectives of this task are threefold: 

o to explain the operation of an observer algorithm as used for DFCS 
analytical sensor redundancy 

° the system architecture tradeoffs in terms of system 

reliability and implementation overhead 

° C ° ,^ 1UStrate the reval idation process attendant to a major DFCS 
modification. J 


3 . 3 Scope 

r era l °? er taSkS 1 ' the analytical sens °r redundancy effort has been 
limited to part of a typical DFCS pitch axis. It is felt that the basic 

principles of sensor fault tolerance can be better understood by a suitably 
ounded application example. Also, a straightforward observer algorithm is 
used rather than a much more complicated Kalman filter. Additionally not 

included 6 S ° ftWare needed for updating the observer dynamics has ’been 
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4.0 ASSESSMENT RESULTS 


A system architecture was selected based on an analytical sensor redundancy 
mo lfication to the previously developed quadruplex DFCS (Reference 1) The 

imnlemeni S r ratl0n K W ? S ^ minimizin S the impact on the existing DFCS 

implementation, while rendering a safe yet more economical design. Although 

the system simulator implementation at NASA Ames was programmed using 

the^ofJ i nS ’ aUgmented AED ( A1 S°1 Extended for Design) instruction set 

the software design was m Ada for improved clarity. 

4.1 Analytical Redundancy Concepts 

In addition to the requirement for observability of airplane states, Sheet 2 
• ,; gu ; e 6 noted two matrix equations whose was satisfaction was necessary 
in the development of the particular observer used here. The concluding 
statement there also indicated that Matrix D was to be a diagonal matrix and 

diagonal^° Sltl ° n E C ° haVe aU Zer ° eleme "ts on the main 

The D-Matrix choice was based on two aspects of simplifying observer system 

iither?han rinS t 6 term ' b ^ ' term exponentiation along the main diagonal, 
alon.rh i a- exponentiation; and similarly, term-by-term inversion 
along the main diagonal, rather than matrix inversion. The associated choice 
of zeroing the main diagonal of the E-Matrix means that no observer state is 

in d questifn nCtl ° n ^ ^ meaSUred value - whic h after all may be erroneous or 

The expanded derivation and general result of this development in the form of 
the observer matrices definitions are presented in Figure 8. Here the 
variables are as defined in Figure 6. Note that certain reasonable 
simplifications have been made, e.g., the longitudinal airplane equations of 

th^Matrices been reduced from six to four degrees -of- freedom. The forms of 
the Matrices A, B, and C were dictated, respectively, by: general airplane 
dynamics, the particular flight control effectors, and the selected 
complement of sensors. These are known quantities, expressed as variables, 
for purposes of defining the observer matrices. 

, F iS r ^ ad ^ ly defi " ed element-by-element in terms of Matrices B and C 
as noted at the bottom of Sheet 1 of Figure 8. Matrices D and E then take 
three sheets to develop under the above stated constraints. On Sheet 4 30 

matrix coefficients are then expressed in terms of 25 simple equations 
Accordingly five variables are parameters, selected here to ensure no zero 
values for this set of matrix elements. Of course, this computation was 
automated, as was the discretization algorithm to transform these continuous - 
time observer matrices into those for the corresponding discrete - time system 
as preferred for digital computation. system, 

4.2 Reliability Assessment 

Analytical redundancy, in the subject case at least, was not invoked until 
only two of a given type of sensor remain on-line. Then the observer served 
aS .. a tie-breaker in the event that the two sensors disagree. Hence the 

svstem 1 lty sment here ls in terms of dual sensors, in the context of 

system reliability improvements provided by the observer-based fault 
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I. Airframe Equations 
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Equations 

of Motion: 
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Figure 8 - Observers Matrix Determination (Sheet 1 of 4) 
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Figure 8 - Observers Matrix Determination (Sheet 2 of 4) 
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Figure 8 - Observers Matrix Determination (Sheet 3 of 4) 
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III. Particular Assignments 


Simplifications per the Present Case: 
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Figure 8 - Observers Matrix Determination (Sheet 4 of 4) 
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isolation. Figure 9 then illustrates three variants of a dual system, where 
contrasts are to be made regarding the contributions of self test/analytical 
redundancy combinations. 

In Sheet 1 of Figure 9, faulting of certain components are assumed to be 
obvious, e.g., non-engagable servo, and this is represented by parallel 
boxes. Note that paralleling denotes logical OR-ing to attain a operable 
system, and serial boxes denote logical AND-ing. As evident in Sheet 2, 
se lf test increases the extent of parallelism, which translates into improved 
system reliability. Sheet 3 reflects the contributions of analytical 
redundancy in that pairs of sensors are not linked in serial fashion, i.e., 
both sensors need not be working to have a usable signal output. 

Quantitative assessment results for these three configurations are 

represented in Table 2. The fault isolation capacity of self test is seen to 
only modestly improve system reliability, in part because it does not affect 
sensor aspects of reliability. Analytical redundancy, however, does improve 
reliability quite significantly (by three orders of magnitude), as the 
results show. Of course, the benefits of analytical redundancy would be much 
less for triplex sensor, because it would be involved less often. Note that 
the combination of self test and analytical redundancy are complementary, for 
they are suited for different types of fault isolation. Their combination is 
therefore natural and very beneficial. 

4.3 Simulation Investigation 

Simulation time histories of observer states versus sensor measurements 

states are given in Figure 10. Even under multiple sensor signal losses, the 
observer outputs match well with those of the sensors. This is not 
surprising for such a short duration in which that airplane dynamics have 
been represented exactly, and where re -trimming or other airplane changes, 
e.g., fuel burn-off, have not occurred. In practice, such concerns can be 

handled using additional flight software, as well as normal sensor signal 

tolerances . 

4.4 Observer Gust Filtering 

A scheme for using the observer algorithm for gust component filtering of the 
AOA signal is depicted in Figure 11. The wind forcing function vector is w, 
i directly excites the airplane through Matrix B, but not the observer 
dynamics. Hence, the observer states do not reflect the wind forcing 

functions, in particularly with regard to the AOA signal. Hence, the 

observed AOA can be fed back into the DFCS less the atmospheric noise 
component present on the AOA vane output. 

This effect is illustrated in the simulation time histories presented in 
Figure 12. AOA is essentially proportional to vertical velocity, or plunge, 
a signal that directly reflects vertical gusts. The corresponding observer 
signal is seen to be relatively free of the gust component, and hence it can 
be used advantageously for long term control functions like autothrottles. 
In certain cases however, like ride qualities control, the AOA gust component 
actually constitutes a meaningful signal, so filtering there would be 
inappropriate. In general, observers can be very useful because their filter 
characteristics are not strictly frequency dependent, a criteria that may not 
necessarily distinguish sensor signal content from the noise. 
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TABLE 2. RELIABILITY ASSESSMENT RESULTS 
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Figure 12. Observer Filtering Time History 



5 . 0 SUMMARY 


Basically, the technical feasibility and benefits of analytical sensor 
redundancy have been illustrated. The major benefit of extended likelihood 
of maintaining safe flying qualities has been demonstrated for a negative RSS 
transport airplane. Marginal reliability improvements have been calibrated, 
and the impact on validation/revalidation indicated. 

Ultimately, the decision to employ analytical sensor redundancy is found to 
be primarily an economic one, for conventional sensor redundancy and 
reliability levels are quite adequate at present. Still, the tradeoff 
between reduced sensors and increased software overhead may in certain cases 
favor analytical redundancy, particularly where its use is also warranted by 
associated nonlinear filtering applications. There, DFCS performance 
benefits may prove to be vital. 
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